diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2024-01-23 11:10:38 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-01-31 03:51:10 -1000 |
commit | 574b30350364287ca9c29f44174d8448f140b278 (patch) | |
tree | d29cb555751f1a315cadbcf69c08ed78552e1e96 | |
parent | bffa4f3051a7cae61ccb63b6d711e94f633ae32f (diff) | |
download | poky-574b30350364287ca9c29f44174d8448f140b278.tar.gz |
gnutls: Backport fix for CVE-2024-0553
CVE-2024-0553
A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e]
(From OE-Core rev: a07cc0b6fa4a485f318fd2957e434b63f5907d7e)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch | 125 | ||||
-rw-r--r-- | meta/recipes-support/gnutls/gnutls_3.6.14.bb | 1 |
2 files changed, 126 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch new file mode 100644 index 0000000000..f15c470879 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch | |||
@@ -0,0 +1,125 @@ | |||
1 | From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Wed, 10 Jan 2024 19:13:17 +0900 | ||
4 | Subject: [PATCH] rsa-psk: minimize branching after decryption | ||
5 | |||
6 | This moves any non-trivial code between gnutls_privkey_decrypt_data2 | ||
7 | and the function return in _gnutls_proc_rsa_psk_client_kx up until the | ||
8 | decryption. This also avoids an extra memcpy to session->key.key. | ||
9 | |||
10 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
11 | |||
12 | Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e] | ||
13 | CVE: CVE-2024-0553 | ||
14 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
15 | --- | ||
16 | lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++---------------------- | ||
17 | 1 file changed, 35 insertions(+), 33 deletions(-) | ||
18 | |||
19 | diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c | ||
20 | index 93c2dc9..c6cfb92 100644 | ||
21 | --- a/lib/auth/rsa_psk.c | ||
22 | +++ b/lib/auth/rsa_psk.c | ||
23 | @@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, | ||
24 | int ret, dsize; | ||
25 | ssize_t data_size = _data_size; | ||
26 | gnutls_psk_server_credentials_t cred; | ||
27 | - gnutls_datum_t premaster_secret = { NULL, 0 }; | ||
28 | volatile uint8_t ver_maj, ver_min; | ||
29 | |||
30 | cred = (gnutls_psk_server_credentials_t) | ||
31 | @@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, | ||
32 | ver_maj = _gnutls_get_adv_version_major(session); | ||
33 | ver_min = _gnutls_get_adv_version_minor(session); | ||
34 | |||
35 | - premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE); | ||
36 | - if (premaster_secret.data == NULL) { | ||
37 | + /* Find the key of this username. A random value will be | ||
38 | + * filled in if the key is not found. | ||
39 | + */ | ||
40 | + ret = _gnutls_psk_pwd_find_entry(session, info->username, | ||
41 | + strlen(info->username), &pwd_psk); | ||
42 | + if (ret < 0) | ||
43 | + return gnutls_assert_val(ret); | ||
44 | + | ||
45 | + /* Allocate memory for premaster secret, and fill in the | ||
46 | + * fields except the decryption result. | ||
47 | + */ | ||
48 | + session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size; | ||
49 | + session->key.key.data = gnutls_malloc(session->key.key.size); | ||
50 | + if (session->key.key.data == NULL) { | ||
51 | gnutls_assert(); | ||
52 | + _gnutls_free_key_datum(&pwd_psk); | ||
53 | + /* No need to zeroize, as the secret is not copied in yet */ | ||
54 | + _gnutls_free_datum(&session->key.key); | ||
55 | return GNUTLS_E_MEMORY_ERROR; | ||
56 | } | ||
57 | - premaster_secret.size = GNUTLS_MASTER_SIZE; | ||
58 | |||
59 | /* Fallback value when decryption fails. Needs to be unpredictable. */ | ||
60 | - ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data, | ||
61 | - premaster_secret.size); | ||
62 | + ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2, | ||
63 | + GNUTLS_MASTER_SIZE); | ||
64 | if (ret < 0) { | ||
65 | gnutls_assert(); | ||
66 | - goto cleanup; | ||
67 | + _gnutls_free_key_datum(&pwd_psk); | ||
68 | + /* No need to zeroize, as the secret is not copied in yet */ | ||
69 | + _gnutls_free_datum(&session->key.key); | ||
70 | + return ret; | ||
71 | } | ||
72 | |||
73 | + _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data); | ||
74 | + _gnutls_write_uint16(pwd_psk.size, | ||
75 | + &session->key.key.data[2 + GNUTLS_MASTER_SIZE]); | ||
76 | + memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data, | ||
77 | + pwd_psk.size); | ||
78 | + _gnutls_free_key_datum(&pwd_psk); | ||
79 | + | ||
80 | gnutls_privkey_decrypt_data2(session->internals.selected_key, 0, | ||
81 | - &ciphertext, premaster_secret.data, | ||
82 | - premaster_secret.size); | ||
83 | + &ciphertext, session->key.key.data + 2, | ||
84 | + GNUTLS_MASTER_SIZE); | ||
85 | /* After this point, any conditional on failure that cause differences | ||
86 | * in execution may create a timing or cache access pattern side | ||
87 | * channel that can be used as an oracle, so tread carefully */ | ||
88 | @@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, | ||
89 | /* This is here to avoid the version check attack | ||
90 | * discussed above. | ||
91 | */ | ||
92 | - premaster_secret.data[0] = ver_maj; | ||
93 | - premaster_secret.data[1] = ver_min; | ||
94 | + session->key.key.data[2] = ver_maj; | ||
95 | + session->key.key.data[3] = ver_min; | ||
96 | |||
97 | - /* find the key of this username | ||
98 | - */ | ||
99 | - ret = | ||
100 | - _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk); | ||
101 | - if (ret < 0) { | ||
102 | - gnutls_assert(); | ||
103 | - goto cleanup; | ||
104 | - } | ||
105 | - | ||
106 | - ret = | ||
107 | - set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret); | ||
108 | - if (ret < 0) { | ||
109 | - gnutls_assert(); | ||
110 | - goto cleanup; | ||
111 | - } | ||
112 | - | ||
113 | - ret = 0; | ||
114 | - cleanup: | ||
115 | - _gnutls_free_key_datum(&pwd_psk); | ||
116 | - _gnutls_free_temp_key_datum(&premaster_secret); | ||
117 | - | ||
118 | - return ret; | ||
119 | + return 0; | ||
120 | } | ||
121 | |||
122 | static int | ||
123 | -- | ||
124 | 2.25.1 | ||
125 | |||
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb index 406f0b54c5..a1451daf2c 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb | |||
@@ -29,6 +29,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar | |||
29 | file://CVE-2021-4209.patch \ | 29 | file://CVE-2021-4209.patch \ |
30 | file://CVE-2023-0361.patch \ | 30 | file://CVE-2023-0361.patch \ |
31 | file://CVE-2023-5981.patch \ | 31 | file://CVE-2023-5981.patch \ |
32 | file://CVE-2024-0553.patch \ | ||
32 | " | 33 | " |
33 | 34 | ||
34 | SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" | 35 | SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" |